Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible chronic trojan infection / Spontaneous Firewall Deactivation


  • This topic is locked This topic is locked
23 replies to this topic

#1 gravitron5

gravitron5

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 23 September 2010 - 11:34 PM

Hello,

About a month ago, I bought a new laptop. Prior to transferring my personal files from my removable hard drive to my new machine, I decided to the drive for viruses. Since I'm paranoid, I used four programs: Microsoft Security Essentials, MBAM, Dr. Web Cureit, & ESET's online scanner, performing the scans between 8/18/10 & 8/19/10. MSE, MBAM, Cureit, & Eset each found viruses, and quarantined or removed them. Scans following removal showed no threats, so I copied my files onto the new machine.

On 9/4/10, my computer somehow got infected again. General symptoms included an inability to connect to the Internet (even though my WiFi status was "Connected"), nor could I save files to the hard drive (kept saying the drive was full, even though I have ~200 GB free space). I disconnected from the Internet & ran a scan w/ MBAM & Dr. Web Cureit, which found & removed several viruses. Subsequent scans with both of those, along with MSE & ESET's online scanner, showed nothing. After this incident, I installed full versions of MBAM & Sandboxie, and the free version of ThreatFire, and started using a non-administrator account for all my Internet surfing. I also replaced my Windows Firewall with Comodo's Firewall.

Then, around 1845 hrs EST on 9/22/10, I found myself (again) unable to connect to the Internet. Even though I'd taken no action to deactivate it, Comodo's firewall somehow got turned off (the icon no longer appeared in my system tray), and attempts to open either Comodo or ThreatFire led to error messages saying something like "The memory could not be 'read'.". Dell ControlPoint also returned errors, saying it couldn't run. Control-Alt-Del only brought up a Sandboxie error message.

When I tried scanning with MSE, I got an "insufficient memory" error; although (for unknown reasons) I was eventually able to get an MSE scan started. Meanwhile, I scanned with MBAM, which found ~250 items (mostly Windows system files) infected with something called "Trojan.Agent". MBAM managed to clean them (though it inexplicably failed to save a log file), however; and subsequent scans with MBAM, MSE, and DrWeb Cureit turned up clean.

So my question is: Do I just have really bad luck, or is there something (undetectable by MSE, MBAM, Cureit, or ESET) that's causing these recurring problems? If the above programs say I'm "clean", am I really, or might there be something else lurking on my system? I'm particularly concerned about how Comodo's firewall seems to have been spontaneously deactivated without any action on my part; this, along with the subsequent infection, leads me to wonder whether something might've sabotaged it.

I initially posted in the "Are you infected" forum here:

http://www.bleepingcomputer.com/forums/topic349123.html

...but I was redirected here when they couldn't find anything. Here's the DDS.txt log from my DDS scan:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Vengence at 22:57:34.45 on Thu 09/23/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.2442 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\OA015Mon.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Documents and Settings\Vengence\Desktop\Apps\startscr.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Documents and Settings\Vengence\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx
mSearchAssistant = hxxp://www.bing.com/sphome.aspx
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [OA015Mon] c:\windows\OA015Mon.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\vengence\startm~1\programs\startup\startscr.lnk - c:\documents and settings\vengence\desktop\apps\startscr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282174238171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vengence\applic~1\mozilla\firefox\profiles\24cdjfu0.default\
FF - prefs.js: browser.startup.homepage -
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2010-8-12 17072]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-9-4 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-9-4 59664]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-3-24 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-3-24 27040]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 376608]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-8-12 13336]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2010-8-12 60928]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-18 304464]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-8-12 59904]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-8-12 2533400]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-8-12 42672]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-8-12 113664]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-8-12 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-8-12 144576]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-8-12 33832]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-8-12 167080]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-8-12 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-8-12 235520]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-18 20952]
R3 OA015Afx;Provides a software interface to control audio effects of OA015 camera.;c:\windows\system32\drivers\OA015Afx.sys [2010-8-12 134144]
R3 OA015Vid;Creative Camera OA015 Function Driver;c:\windows\system32\drivers\OA015Vid.sys [2010-8-12 273568]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-9-4 33552]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]

=============== Created Last 30 ================

2010-09-23 18:56:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-23 18:56:44 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-22 22:55:40 108189 ----a-w- c:\windows\system32\SNAGIT7
2010-09-05 23:16:23 0 d-----w- c:\documents and settings\vengence\DoctorWeb
2010-09-05 02:14:45 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-09-05 02:14:45 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-09-05 02:14:45 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-09-05 02:14:42 0 d-----w- c:\program files\ThreatFire
2010-09-05 02:14:42 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-05 01:51:21 0 d--h--w- C:\VritualRoot
2010-09-05 01:51:04 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-09-05 01:36:36 0 d-----w- c:\program files\COMODO
2010-09-05 01:28:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-09-04 23:02:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-09-04 22:33:56 0 d-----w- c:\docume~1\vengence\applic~1\Malwarebytes
2010-09-04 22:08:46 0 d-----w- c:\docume~1\vengence\applic~1\Office Genuine Advantage
2010-09-04 22:06:43 0 d-----w- c:\docume~1\vengence\applic~1\Windows Search
2010-09-04 22:06:37 0 d-sh--w- c:\documents and settings\vengence\PrivacIE
2010-09-04 22:05:42 0 d-----w- c:\docume~1\vengence\applic~1\Windows Desktop Search
2010-09-04 22:05:42 0 d-----w- c:\docume~1\vengence\applic~1\Wave Systems Corp
2010-09-04 22:05:42 0 d-----w- c:\docume~1\vengence\applic~1\Roxio Log Files
2010-09-04 22:05:42 0 d-----w- c:\docume~1\vengence\applic~1\Intel Corporation
2010-09-04 22:05:42 0 d-----w- c:\docume~1\vengence\applic~1\Intel
2010-09-04 22:05:42 0 d-----w- c:\docume~1\vengence\applic~1\Broadcom
2010-08-25 03:39:18 0 d-----r- C:\Sandbox
2010-08-25 03:36:23 2786 ----a-w- c:\windows\Sandboxie.ini
2010-08-25 03:32:38 0 d-----w- c:\program files\Sandboxie

==================== Find3M ====================

2010-08-23 12:40:48 90353 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-13 04:00:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_cvusbdrv_01005.Wdf
2010-08-13 03:59:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01009.Wdf
2010-08-13 03:59:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-12 23:55:57 77824 ----a-w- c:\windows\setpwr32.exe
2010-08-12 23:54:41 3864 ----a-w- c:\windows\system32\drivers\1028_Dell_LAT_E6510.mrk
2010-08-07 12:18:24 3265024 ----a-w- c:\windows\es.scr
2010-08-07 12:18:24 3265024 ----a-w- c:\windows\es.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-19 21:31:56 1556480 ----a-w- c:\windows\system32\wvauth.dll
2010-07-19 21:24:10 622592 ----a-w- c:\windows\system32\AmRes_de.dll
2010-07-19 21:24:10 593920 ----a-w- c:\windows\system32\AmRes_en.dll
2010-07-19 21:24:08 618496 ----a-w- c:\windows\system32\AmRes_fr.dll
2010-07-19 21:24:08 618496 ----a-w- c:\windows\system32\AmRes_es.dll
2010-07-19 21:24:08 614400 ----a-w- c:\windows\system32\AmRes_it.dll
2010-07-19 21:24:04 602112 ----a-w- c:\windows\system32\AmRes_pt-BR.dll
2010-07-19 21:24:04 598016 ----a-w- c:\windows\system32\AmRes_ja.dll
2010-07-19 21:24:04 581632 ----a-w- c:\windows\system32\AmRes_ko.dll
2010-07-19 21:24:02 647168 ----a-w- c:\windows\system32\AmRes_ru.dll
2010-07-19 21:24:00 552960 ----a-w- c:\windows\system32\AmRes_zh-CHT.dll
2010-07-19 21:24:00 552960 ----a-w- c:\windows\system32\AmRes_zh-CHS.dll
2010-07-19 21:23:14 593920 ----a-w- c:\windows\system32\AmRes_da.dll
2010-07-19 21:23:12 618496 ----a-w- c:\windows\system32\AmRes_nl.dll
2010-07-19 21:23:12 589824 ----a-w- c:\windows\system32\AmRes_no.dll
2010-07-19 21:23:10 606208 ----a-w- c:\windows\system32\AmRes_pl.dll
2010-07-19 21:23:10 593920 ----a-w- c:\windows\system32\AmRes_sv.dll
2010-07-19 21:22:52 589824 ----a-w- c:\windows\system32\AmRes_ar.dll
2010-07-19 21:22:50 606208 ----a-w- c:\windows\system32\AmRes_cs.dll
2010-07-19 21:22:48 618496 ----a-w- c:\windows\system32\AmRes_el.dll
2010-07-19 21:22:46 598016 ----a-w- c:\windows\system32\AmRes_fi.dll
2010-07-19 21:22:44 581632 ----a-w- c:\windows\system32\AmRes_he.dll
2010-07-19 21:22:42 610304 ----a-w- c:\windows\system32\AmRes_hu.dll
2010-07-19 21:22:40 610304 ----a-w- c:\windows\system32\AmRes_pt-PT.dll
2010-07-19 21:22:38 614400 ----a-w- c:\windows\system32\AmRes_ro.dll
2010-07-19 21:22:34 602112 ----a-w- c:\windows\system32\AmRes_tr.dll
2010-07-19 21:22:26 552960 ----a-w- c:\windows\system32\AmRes_zh-HK.dll
2010-07-19 21:22:24 585728 ----a-w- c:\windows\system32\AmRes_th.dll
2010-07-19 21:21:48 593920 ----a-w- c:\windows\system32\AmRes_sl.dll
2010-07-19 21:21:46 598016 ----a-w- c:\windows\system32\AmRes_hr.dll
2010-07-19 20:51:52 360448 ----a-w- c:\windows\system32\OEM_Resources.dll
2010-07-19 20:47:40 598016 ----a-w- c:\windows\system32\AmRes_sk.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 17:26:58 828160 ----a-w- c:\windows\boinc.scr
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 23:00:19.56 ===============

I've also attached my Attach.txt file & GMER log (Ark.txt) to this email.

Any assistance would be greatly appreciated. Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:20 PM

Posted 29 September 2010 - 09:03 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gravitron5

gravitron5
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 29 September 2010 - 01:43 PM

Gringo,

I ran DeFogger & DDS, however, I couldn't get Rootkit UnHooker to run. I tried running it on my administrator account, with all my other security software (ThreatFire, MSE, MBAM, Comodo) turned off, but immediately after double-clicking on RKUnhookerLE.EXE, I kept getting a pair of message boxes: the first read, "Failed to enable debug privilege, not critical issue"; the second, "Error, load driver privilege not adjusted". I also got the second error message when I tried running Rootkit UnHooker in Safe Mode.

Am I doing something wrong? Or might this be due to whatever issues my computer is having?

I have copied the DDS logs below:

DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by gravitron5 at 12:52:34.32 on Wed 09/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.2209 [GMT -4:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r267815\payload\wdm\stacsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtwTracePktWpp.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\OA015Mon.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\milkyway.cs.rpi.edu_milkyway\milkyway_0.19_windows_intelx86.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\milkyway.cs.rpi.edu_milkyway\milkyway_0.19_windows_intelx86.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\milkyway.cs.rpi.edu_milkyway\milkyway_0.19_windows_intelx86.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\milkyway.cs.rpi.edu_milkyway\milkyway_0.19_windows_intelx86.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\gravitron5\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.bing.com
uSearch Bar = hxxp://www.bing.com/sphome.aspx
mSearchAssistant = hxxp://www.bing.com/sphome.aspx
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [OA015Mon] c:\windows\OA015Mon.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\gravit~1\startm~1\programs\startup\startscr.lnk - c:\thunder\startscr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282174238171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gravit~1\applic~1\mozilla\firefox\profiles\kevq7tyb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.jerrypournelle.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2010-8-12 17072]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-9-4 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-9-4 59664]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 25240]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1778480]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-3-24 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-3-24 27040]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 376608]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-8-12 13336]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2010-8-12 60928]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-18 304464]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-8-12 59904]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-8-12 2533400]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-8-12 42672]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-8-12 113664]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-8-12 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-8-12 144576]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-8-12 33832]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-8-12 167080]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-8-12 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-8-12 235520]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-18 20952]
R3 OA015Afx;Provides a software interface to control audio effects of OA015 camera.;c:\windows\system32\drivers\OA015Afx.sys [2010-8-12 134144]
R3 OA015Vid;Creative Camera OA015 Function Driver;c:\windows\system32\drivers\OA015Vid.sys [2010-8-12 273568]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-9-4 33552]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]

=============== Created Last 30 ================

2010-09-29 16:51:47 0 ----a-w- c:\documents and settings\gravitron5\defogger_reenable
2010-09-23 18:56:49 0 d-----w- c:\docume~1\gravit~1\applic~1\SUPERAntiSpyware.com
2010-09-23 18:56:49 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-23 18:56:44 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-22 22:55:40 108189 ----a-w- c:\windows\system32\SNAGIT7
2010-09-05 02:14:45 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-09-05 02:14:45 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-09-05 02:14:45 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-09-05 02:14:42 0 d-----w- c:\program files\ThreatFire
2010-09-05 02:14:42 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-09-05 01:51:21 0 d--h--w- C:\VritualRoot
2010-09-05 01:51:04 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-09-05 01:36:36 0 d-----w- c:\program files\COMODO
2010-09-05 01:28:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-09-04 23:02:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files

==================== Find3M ====================

2010-08-23 12:40:48 90353 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-13 04:00:17 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_cvusbdrv_01005.Wdf
2010-08-13 03:59:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01009.Wdf
2010-08-13 03:59:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-12 23:55:57 77824 ----a-w- c:\windows\setpwr32.exe
2010-08-12 23:54:41 3864 ----a-w- c:\windows\system32\drivers\1028_Dell_LAT_E6510.mrk
2010-08-07 12:18:24 3265024 ----a-w- c:\windows\es.scr
2010-08-07 12:18:24 3265024 ----a-w- c:\windows\es.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-19 21:31:56 1556480 ----a-w- c:\windows\system32\wvauth.dll
2010-07-19 21:24:10 622592 ----a-w- c:\windows\system32\AmRes_de.dll
2010-07-19 21:24:10 593920 ----a-w- c:\windows\system32\AmRes_en.dll
2010-07-19 21:24:08 618496 ----a-w- c:\windows\system32\AmRes_fr.dll
2010-07-19 21:24:08 618496 ----a-w- c:\windows\system32\AmRes_es.dll
2010-07-19 21:24:08 614400 ----a-w- c:\windows\system32\AmRes_it.dll
2010-07-19 21:24:04 602112 ----a-w- c:\windows\system32\AmRes_pt-BR.dll
2010-07-19 21:24:04 598016 ----a-w- c:\windows\system32\AmRes_ja.dll
2010-07-19 21:24:04 581632 ----a-w- c:\windows\system32\AmRes_ko.dll
2010-07-19 21:24:02 647168 ----a-w- c:\windows\system32\AmRes_ru.dll
2010-07-19 21:24:00 552960 ----a-w- c:\windows\system32\AmRes_zh-CHT.dll
2010-07-19 21:24:00 552960 ----a-w- c:\windows\system32\AmRes_zh-CHS.dll
2010-07-19 21:23:14 593920 ----a-w- c:\windows\system32\AmRes_da.dll
2010-07-19 21:23:12 618496 ----a-w- c:\windows\system32\AmRes_nl.dll
2010-07-19 21:23:12 589824 ----a-w- c:\windows\system32\AmRes_no.dll
2010-07-19 21:23:10 606208 ----a-w- c:\windows\system32\AmRes_pl.dll
2010-07-19 21:23:10 593920 ----a-w- c:\windows\system32\AmRes_sv.dll
2010-07-19 21:22:52 589824 ----a-w- c:\windows\system32\AmRes_ar.dll
2010-07-19 21:22:50 606208 ----a-w- c:\windows\system32\AmRes_cs.dll
2010-07-19 21:22:48 618496 ----a-w- c:\windows\system32\AmRes_el.dll
2010-07-19 21:22:46 598016 ----a-w- c:\windows\system32\AmRes_fi.dll
2010-07-19 21:22:44 581632 ----a-w- c:\windows\system32\AmRes_he.dll
2010-07-19 21:22:42 610304 ----a-w- c:\windows\system32\AmRes_hu.dll
2010-07-19 21:22:40 610304 ----a-w- c:\windows\system32\AmRes_pt-PT.dll
2010-07-19 21:22:38 614400 ----a-w- c:\windows\system32\AmRes_ro.dll
2010-07-19 21:22:34 602112 ----a-w- c:\windows\system32\AmRes_tr.dll
2010-07-19 21:22:26 552960 ----a-w- c:\windows\system32\AmRes_zh-HK.dll
2010-07-19 21:22:24 585728 ----a-w- c:\windows\system32\AmRes_th.dll
2010-07-19 21:21:48 593920 ----a-w- c:\windows\system32\AmRes_sl.dll
2010-07-19 21:21:46 598016 ----a-w- c:\windows\system32\AmRes_hr.dll
2010-07-19 20:51:52 360448 ----a-w- c:\windows\system32\OEM_Resources.dll
2010-07-19 20:47:40 598016 ----a-w- c:\windows\system32\AmRes_sk.dll
2010-07-17 09:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 17:26:58 828160 ----a-w- c:\windows\boinc.scr

============= FINISH: 12:56:20.17 ===============

Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/18/2010 5:29:01 PM
System Uptime: 9/27/2010 12:18:02 PM (48 hours ago)

Motherboard: Dell Inc. | | 02K3Y4
Processor: Intel® Core™ i7 CPU M 620 @ 2.67GHz | CPU 1 | 2660/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 242.948 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AccelerometerP11
Adobe Acrobat 6.0 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.4
BioAPI Framework
BOINC
COMODO Internet Security
Dell Backup and Recovery Manager
Dell Control Point
Dell ControlPoint Security Manager
Dell ControlPoint System Manager
Dell ControlVault Host Components Installer
Dell Embassy Trust Suite by Wave Systems
Dell Security Device Driver Pack
Dell Touchpad
Dell Webcam Central
Document Manager Lite
Electric Sheep 2.7b28
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
ESET Online Scanner v3
Folding@home-x86
Gemalto
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB967048-v2)
Hotfix for Windows XP (KB968764)
Hotfix for Windows XP (KB969084)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Integrated Webcam Driver (1.01.01.0531)
Intel PROSet Wireless
Intel® Management Engine Components
Intel® Network Connections 14.8.43.0
Intel® PROSet/Wireless WiFi Software
Intel® Rapid Storage Technology
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 21
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Money 2000 Deluxe
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.8)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6.0 Parser (KB927977)
NTRU TCG Software Stack
OGA Notifier 2.0.0048.0
PowerDVD DX
Preboot Manager
Private Information Manager
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE 10.3
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Sandboxie 3.48
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Security Wizards
Segoe UI
SUPERAntiSpyware
ThreatFire
Trusted Drive Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows Internet Explorer 8 (KB982664)
Update for Windows XP (KB2141007)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
UPEK TouchChip Fingerprint Reader
Wave Infrastructure Installer
Wave Support Software
WebFldrs XP
WIDCOMM Bluetooth Software
Winamp
Winamp Detector Plug-in
Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Management Framework Core
Windows Media Format Runtime
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Search 4.0
WinZip 14.5
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

9/29/2010 12:49:05 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 804f162a, parameter3 9da73cbc, parameter4 9da739b8.
9/27/2010 1:27:25 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.91.672.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6201.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/26/2010 12:58:54 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.91.612.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6201.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/25/2010 12:58:15 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.91.549.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6201.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/23/2010 6:21:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Beep cmdGuard cmdHlp Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
9/23/2010 6:21:52 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
9/23/2010 6:21:52 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/23/2010 6:21:52 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/23/2010 6:21:52 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/23/2010 5:31:46 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ThreatFire service.
9/23/2010 3:17:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep cmdGuard Fips intelppm MpFilter SASDIFSV SASKUTIL TfFsMon TfSysMon
9/23/2010 2:57:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/23/2010 2:24:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/23/2010 2:22:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/23/2010 2:20:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep cmdGuard Fips intelppm MpFilter TfFsMon TfSysMon
9/23/2010 2:19:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/23/2010 2:14:06 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
9/23/2010 1:14:39 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.91.437.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6201.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/22/2010 6:55:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep

==== End Of File ===========================

What should I do about RootKit UnHooker?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:20 PM

Posted 29 September 2010 - 01:54 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
    In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gravitron5

gravitron5
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 29 September 2010 - 09:56 PM

Gringo,

Well, I (eventually) ran ComboFix, but ran into some hitches along the way. The first time I ran it, I did so with all my security software off. However, I also had my Internet disconnected, since I didn't feel comfortable leaving the connection open when my firewall (Comodo) was deactivated. When ComboFix asked to install the Recovery Console, I tried to reconnect, but I wasn't able to do so; my Intel PROSet Wireless kept saying my connection had "limited or no connectivity". Tried directly connecting to my wireless router via Ethernet, and got a similar message: "This connection has limited or no connectivity".

Since this behavior was vaguely reminiscent of my last virus infection, I guess I panicked, and decided to try reactivating Comodo (which proceeded to automatically update itself). Bad idea; I started getting "access is denied" messages when ComboFix tried to scan. I also started getting error messages whenever I tried double-clicking on ComboFix (or anything else) on my desktop. (I don't remember the exact text; it was something like, "Windows cannot access ComboFix.exe" I think.) So I closed everything down, restarted the computer, and ran ComboFix again. This time, I let it run without installing the Recovery Console, since for whatever reason my Internet was (and still is) down; it ran successfully to completion, and generated the log I've posted below.

My Internet connection is still down; attempts to connect via wireless or Ethernet produce the same "limited or no connectivity" message. Comodo has also started bugging me about a pair of programs, LMS.exe and UNS.exe, that keep trying to access the Internet (even when there's no connection). Comodo Defender+ also seems to have forgotten all its old settings, since whenever I run something for the first time since it updated, I have to tell Comodo to allow it (again).

I really did try to follow the directions as best I could; please don't give up on me & my case.

Combofix log:

ComboFix 10-09-28.03 - gravitron5 09/29/2010 16:02:25.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3510.2505 [GMT -4:00]
Running from: c:\documents and settings\gravitron5\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\es.exe
c:\windows\pthreadGC2.dll

.
((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 19:47 . 2010-09-29 18:44 2142608 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1E1CF7F9-6908-4A34-9F23-5DE82715B804}\mpavdlta.vdm
2010-09-29 19:47 . 2010-09-29 18:44 434576 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1E1CF7F9-6908-4A34-9F23-5DE82715B804}\mpasdlta.vdm
2010-09-29 19:47 . 2010-09-17 17:28 41722256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1E1CF7F9-6908-4A34-9F23-5DE82715B804}\mpavbase.vdm
2010-09-29 19:47 . 2010-09-17 17:28 12300688 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1E1CF7F9-6908-4A34-9F23-5DE82715B804}\mpasbase.vdm
2010-09-23 18:57 . 2010-09-23 18:57 63488 ----a-w- c:\documents and settings\gravitron5\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-23 18:57 . 2010-09-23 18:57 52224 ----a-w- c:\documents and settings\gravitron5\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-23 18:57 . 2010-09-23 18:57 117760 ----a-w- c:\documents and settings\gravitron5\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-23 18:56 . 2010-09-23 18:56 -------- d-----w- c:\documents and settings\gravitron5\Application Data\SUPERAntiSpyware.com
2010-09-23 18:56 . 2010-09-23 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-23 18:56 . 2010-09-23 18:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-23 18:24 . 2010-09-23 18:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-09-23 18:19 . 2010-09-23 18:19 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-09 23:50 . 2010-09-10 00:37 -------- d-----w- c:\documents and settings\Vengence\Local Settings\Application Data\PowerDVD DX
2010-09-07 22:10 . 2010-09-07 22:10 4649824 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\milkyway.cs.rpi.edu_milkyway\milkyway_nbody_0.04_windows_intelx86.exe
2010-09-06 02:25 . 2010-09-06 02:25 -------- d-----w- c:\documents and settings\Vengence\Local Settings\Application Data\PCHealth
2010-09-05 23:21 . 2010-09-05 23:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Malwarebytes
2010-09-05 23:16 . 2010-09-06 04:40 -------- d-----w- c:\documents and settings\Vengence\DoctorWeb
2010-09-05 03:40 . 2010-09-18 22:58 -------- d-----w- c:\documents and settings\Vengence\Local Settings\Application Data\WinZip
2010-09-05 02:32 . 2010-09-05 02:32 503808 ----a-w- c:\documents and settings\Vengence\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-318308db-n\msvcp71.dll
2010-09-05 02:32 . 2010-09-05 02:32 499712 ----a-w- c:\documents and settings\Vengence\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-318308db-n\jmc.dll
2010-09-05 02:32 . 2010-09-05 02:32 348160 ----a-w- c:\documents and settings\Vengence\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-318308db-n\msvcr71.dll
2010-09-05 02:32 . 2010-09-05 02:32 61440 ----a-w- c:\documents and settings\Vengence\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-66001e7e-n\decora-sse.dll
2010-09-05 02:32 . 2010-09-05 02:32 12800 ----a-w- c:\documents and settings\Vengence\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-66001e7e-n\decora-d3d.dll
2010-09-05 02:14 . 2010-01-14 20:08 59664 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2010-09-05 02:14 . 2010-01-14 20:08 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2010-09-05 02:14 . 2010-01-14 20:08 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2010-09-05 02:14 . 2010-09-05 02:14 -------- d-----w- c:\program files\ThreatFire
2010-09-05 02:14 . 2010-09-05 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-09-05 01:51 . 2010-09-05 01:51 -------- d-----w- C:\VritualRoot
2010-09-05 01:51 . 2010-09-29 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-09-05 01:36 . 2010-09-05 01:36 -------- d-----w- c:\program files\COMODO
2010-09-04 23:03 . 2010-09-04 23:03 -------- d-----w- c:\documents and settings\Vengence\Application Data\CyberLink
2010-09-04 23:02 . 2010-09-04 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-09-04 22:33 . 2010-09-04 22:33 -------- d-----w- c:\documents and settings\Vengence\Application Data\Malwarebytes
2010-09-04 22:29 . 2010-09-04 22:29 -------- d-----w- c:\documents and settings\Vengence\Local Settings\Application Data\Mozilla
2010-09-04 22:08 . 2010-09-04 22:08 -------- d-----w- c:\documents and settings\Vengence\Application Data\Office Genuine Advantage
2010-09-04 22:06 . 2010-09-04 22:06 -------- d-----w- c:\documents and settings\Vengence\Application Data\Windows Search
2010-09-04 22:06 . 2010-09-04 22:06 -------- d-sh--w- c:\documents and settings\Vengence\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 19:57 . 2010-08-24 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\BOINC
2010-09-29 19:56 . 2010-08-18 21:29 0 ----a-w- c:\documents and settings\gravitron5\Local Settings\Application Data\WavXMapDrive.bat
2010-09-29 18:22 . 2010-09-04 22:05 0 ----a-w- c:\documents and settings\Vengence\Local Settings\Application Data\WavXMapDrive.bat
2010-09-29 02:40 . 2010-08-19 01:10 2089872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpavdlta.vdm
2010-09-29 02:40 . 2010-08-19 01:10 381328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpasdlta.vdm
2010-09-17 17:28 . 2010-08-19 01:10 41722256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpavbase.vdm
2010-09-17 17:28 . 2010-08-19 01:10 12300688 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpasbase.vdm
2010-09-05 01:51 . 2010-08-18 21:29 64568 ----a-w- c:\documents and settings\gravitron5\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-04 22:06 . 2010-09-04 22:05 64568 ----a-w- c:\documents and settings\Vengence\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-04 11:54 . 2010-08-12 21:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-04 02:27 . 2010-08-21 03:22 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Folding@home-x86
2010-08-27 12:02 . 2010-08-27 12:02 92816 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2011 11.0.1.400\English\setup.exe
2010-08-25 03:32 . 2010-08-25 03:32 -------- d-----w- c:\program files\Sandboxie
2010-08-24 02:06 . 2010-08-24 02:06 240640 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\milkyway.cs.rpi.edu_milkyway\milkyway_0.19_windows_intelx86.exe
2010-08-24 01:58 . 2010-08-24 01:56 -------- d-----w- c:\program files\BOINC
2010-08-22 12:25 . 2010-08-22 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2010-08-22 12:25 . 2010-08-12 21:20 64568 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-22 02:16 . 2010-08-18 22:54 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-22 02:09 . 2010-08-18 23:17 772792 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-21 13:03 . 2010-08-21 13:03 2338816 ----a-w- c:\documents and settings\gravitron5\Application Data\Folding@home-x86\FahCore_78.exe
2010-08-21 04:01 . 2010-08-21 04:01 -------- d-----w- c:\documents and settings\gravitron5\Application Data\AdobeUM
2010-08-21 03:25 . 2010-08-21 03:25 16636416 ----a-w- c:\documents and settings\gravitron5\Application Data\Folding@home-x86\FahCore_b4.exe
2010-08-21 03:22 . 2010-08-21 03:22 -------- d-----w- c:\program files\Folding@home
2010-08-21 03:02 . 2010-08-21 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\ElectricSheep
2010-08-21 03:02 . 2010-08-21 03:02 -------- d-----w- c:\program files\Electric Sheep
2010-08-20 22:54 . 2010-08-20 22:54 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-08-20 02:37 . 2010-08-20 02:37 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Office Genuine Advantage
2010-08-19 01:21 . 2010-08-19 01:21 -------- d-----w- c:\program files\ESET
2010-08-19 01:14 . 2010-08-19 01:14 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Malwarebytes
2010-08-19 01:14 . 2010-08-19 01:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-19 01:14 . 2010-08-19 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-19 01:04 . 2010-08-18 22:20 -------- d-----w- c:\program files\SnagIt 7
2010-08-18 23:45 . 2010-08-18 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-08-18 23:37 . 2010-08-18 23:27 -------- d-----w- c:\program files\Microsoft Works
2010-08-18 23:28 . 2010-08-18 23:01 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Winamp
2010-08-18 23:27 . 2010-08-18 23:27 -------- d-----w- c:\program files\Common Files\L&H
2010-08-18 23:27 . 2010-08-18 23:27 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-08-18 23:25 . 2010-08-18 23:25 -------- d-----w- c:\program files\Microsoft.NET
2010-08-18 23:18 . 2010-08-18 22:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-18 23:16 . 2010-08-18 23:16 -------- d-----w- c:\program files\Microsoft Money
2010-08-18 23:13 . 2010-08-18 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-08-18 23:06 . 2010-08-18 23:06 -------- d-----w- c:\program files\IrfanView
2010-08-18 23:03 . 2010-08-18 23:01 -------- d-----w- c:\program files\Winamp
2010-08-18 23:02 . 2010-08-18 23:02 -------- d-----w- c:\program files\Winamp Detect
2010-08-18 22:53 . 2010-08-18 22:53 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-18 22:53 . 2010-09-04 22:05 53632 ----a-w- c:\documents and settings\Vengence\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-18 22:52 . 2010-08-18 22:52 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-08-18 22:51 . 2010-08-18 22:51 61440 ----a-w- c:\documents and settings\gravitron5\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-657109af-n\decora-sse.dll
2010-08-18 22:51 . 2010-08-18 22:51 503808 ----a-w- c:\documents and settings\gravitron5\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5dbf277e-n\msvcp71.dll
2010-08-18 22:51 . 2010-08-18 22:51 499712 ----a-w- c:\documents and settings\gravitron5\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5dbf277e-n\jmc.dll
2010-08-18 22:51 . 2010-08-18 22:51 348160 ----a-w- c:\documents and settings\gravitron5\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-5dbf277e-n\msvcr71.dll
2010-08-18 22:51 . 2010-08-18 22:51 12800 ----a-w- c:\documents and settings\gravitron5\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-657109af-n\decora-d3d.dll
2010-08-18 22:51 . 2010-08-18 22:51 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 22:51 . 2010-08-12 21:16 -------- d-----w- c:\program files\Java
2010-08-18 22:26 . 2010-08-18 22:26 0 ----a-w- c:\windows\nsreg.dat
2010-08-18 22:19 . 2010-08-18 22:02 -------- d-----w- c:\documents and settings\gravitron5\Application Data\U3
2010-08-18 22:17 . 2010-08-18 22:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2010-08-18 22:12 . 2010-08-18 22:12 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Windows Search
2010-08-18 22:03 . 2010-08-18 22:03 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-08-18 22:02 . 2010-08-18 22:02 -------- d-----w- c:\documents and settings\gravitron5\Application Data\CyberLink
2010-08-17 13:17 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-13 04:00 . 2010-08-13 04:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_cvusbdrv_01005.Wdf
2010-08-13 03:59 . 2010-08-13 03:59 -------- d-----w- c:\program files\IDT
2010-08-13 03:59 . 2010-08-13 03:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01009.Wdf
2010-08-13 03:59 . 2010-08-13 03:59 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-13 03:59 . 2010-08-13 03:59 -------- d-----w- c:\program files\DellTPad
2010-08-12 23:55 . 2010-08-12 23:55 77824 ----a-w- c:\windows\setpwr32.exe
2010-08-12 23:54 . 2010-08-12 23:54 3864 ----a-w- c:\windows\system32\drivers\1028_Dell_LAT_E6510.mrk
2010-08-12 21:32 . 2010-08-12 21:30 0 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\WavXMapDrive.bat
2010-08-12 21:30 . 2010-09-04 22:05 -------- d-----w- c:\documents and settings\Vengence\Application Data\Intel Corporation
2010-08-12 21:30 . 2010-08-18 21:29 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Intel Corporation
2010-08-12 21:30 . 2010-08-12 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel Corporation
2010-08-12 21:30 . 2010-09-04 22:05 -------- d-----w- c:\documents and settings\Vengence\Application Data\Broadcom
2010-08-12 21:30 . 2010-08-18 21:29 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Broadcom
2010-08-12 21:30 . 2010-08-12 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Broadcom
2010-08-12 21:30 . 2010-09-04 22:05 -------- d-----w- c:\documents and settings\Vengence\Application Data\Creative
2010-08-12 21:30 . 2010-08-18 21:29 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Creative
2010-08-12 21:30 . 2010-08-12 21:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Creative
2010-08-12 21:28 . 2010-08-12 21:28 -------- d-----w- c:\program files\Creative
2010-08-12 21:28 . 2010-08-12 21:28 -------- d-----w- c:\program files\Dell Webcam
2010-08-12 21:28 . 2010-08-12 21:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-12 21:28 . 2010-08-12 21:28 -------- d-----w- c:\program files\CyberLink
2010-08-12 21:28 . 2010-08-12 21:24 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-12 21:27 . 2010-08-12 21:25 -------- d-----w- c:\program files\Windows Live
2010-08-12 21:27 . 2010-08-12 21:27 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-08-12 21:27 . 2010-08-12 21:27 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-12 21:26 . 2010-08-12 21:26 -------- d-----w- c:\program files\Microsoft
2010-08-12 21:26 . 2010-08-12 21:26 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\program files\Common Files\Windows Live
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Uninstall
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\program files\Roxio
2010-08-12 21:24 . 2010-09-04 22:05 -------- d-----w- c:\documents and settings\Vengence\Application Data\Roxio Log Files
2010-08-12 21:24 . 2010-08-18 21:29 -------- d-----w- c:\documents and settings\gravitron5\Application Data\Roxio Log Files
2010-08-12 21:24 . 2010-08-12 21:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Roxio Log Files
2010-08-12 21:23 . 2010-08-12 21:21 -------- d-----w- c:\program files\Wave Systems Corp
.

------- Sigcheck -------

[7] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-05-12 288112]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-04-05 495708]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2010-04-05 737280]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-26 170008]
"OA015Mon"="c:\windows\OA015Mon.exe" [2009-12-08 24576]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-09-21 1392640]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-09-21 1206544]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-04-14 112152]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 159616]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-03-12 462993]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2010-07-01 4862720]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2010-07-01 58112]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-29 2500552]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-2-16 632160]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [8/12/2010 5:19 PM 17072]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [9/4/2010 10:14 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [9/4/2010 10:14 PM 59664]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [11/20/2009 6:42 PM 278304]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [3/24/2010 1:09 AM 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [3/24/2010 1:09 AM 27040]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [12/10/2009 2:09 PM 376608]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [8/12/2010 5:18 PM 13336]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/18/2010 9:14 PM 304464]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [8/12/2010 7:54 PM 59904]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [8/12/2010 5:20 PM 2533400]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [8/12/2010 5:19 PM 42672]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/12/2010 7:54 PM 113664]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [8/12/2010 5:28 PM 134144]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/12/2010 5:28 PM 144576]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [8/12/2010 7:55 PM 33832]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [8/12/2010 7:55 PM 167080]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [8/12/2010 7:55 PM 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [8/12/2010 7:55 PM 235520]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/18/2010 9:14 PM 20952]
R3 OA015Afx;Provides a software interface to control audio effects of OA015 camera.;c:\windows\system32\drivers\OA015Afx.sys [8/12/2010 7:55 PM 134144]
R3 OA015Vid;Creative Camera OA015 Function Driver;c:\windows\system32\drivers\OA015Vid.sys [8/12/2010 7:55 PM 273568]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [9/4/2010 10:14 PM 33552]
S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [8/12/2010 5:19 PM 60928]
S3 Normandy;Normandy SR2; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/25/2008 12:16 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-09-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\gravitron5\Application Data\Mozilla\Firefox\Profiles\kevq7tyb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.jerrypournelle.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 16:18
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll

- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2010-09-29 16:25:38
ComboFix-quarantined-files.txt 2010-09-29 20:25

Pre-Run: 260,722,667,520 bytes free
Post-Run: 260,948,115,456 bytes free

- - End Of File - - DC19E28A5F5DEFF150EE4DC911209B23


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:20 PM

Posted 29 September 2010 - 10:27 PM

Hello

lets try this to get you back online, let me know if it works

Download and run WinSockFix. This is a two step process that will Back up the Registry and Reset the Winsock Stack.
  • Double click on WinsockXPFix.exe to open.
  • On the Winsock and TCP Repair Utility screen, click "ReG-Backup"
  • On the ERDNT Welcome screen, click "OK".
  • On the Backup to: screen, click "OK".
  • On the Folder does not exist question screen click "Yes".
  • You will see a status screen as your registry is being backed up.
  • On the Registry backup is complete! screen, click "OK" and you will go back to the main window.
  • On the Winsock and TCP Repair Utility screen, click "Fix".
  • On the Apply the VB_Winsock fix? screen click "Yes".
  • The screen will display a status message "repair completed please reboot."
  • On the Repair Completed screen click "OK" to reboot your computer.
  • If your computer was not using DHCP, you will need to reconfigure TCP/IP.
  • You should have connectivity restored.
If you have internet back come back and let me know if not go to next step

Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Click "Finish" and LSPfix will restore the chain numbers.
  • restart the computer


Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gravitron5

gravitron5
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 30 September 2010 - 12:28 PM

Gringo,

Neither of those worked.

When I ran WinSockFix, I got some error messages during the registry-backup process (it couldn't create or copy some files, IIRC); however, the "Fix" process ran fine. Restarted the computer, and still got "limited or no connectivity". (My computer has DHCP enabled, so I didn't have to reconfigure TCP/IP.)

Ran LSPFix; it found no errors, and says it made no changes. I restarted the computer anyway, and still have "limited or no connectivity".

Thoughts?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:20 PM

Posted 01 October 2010 - 01:37 PM

Hello

Ok lets try this

For XP, Start, Run, CMD to open a command prompt.

at the command prompt typ in each line and press enter
    netsh winsock reset catalog

    netsh int ip reset reset.log

Reboot the machine.


let me know if this worked


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gravitron5

gravitron5
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 01 October 2010 - 02:34 PM

Gringo,

Did the resets & restarted the computer. Still didn't work, however. I'm still getting "limited or no connectivity" on both Ethernet & wireless.

Comodo is still bugging me about LMS.exe & UNS.exe trying to access "0.0.0.0 -86".

Also, about an hour ago I was watching a DVD on my computer, and my mouse started acting weird, as if the left-click was being pressed every 2-3 seconds or so. I'm thinking it was a software issue since it still happened even after I switched out mice. It now seems to have gone away, however.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:20 PM

Posted 01 October 2010 - 08:54 PM

Hello

LMS.exe - is ligit - http://www.processlibrary.com/directory/files/lms/

uns.exe - is ligit - http://www.processlibrary.com/directory/files/uns/

I want you to go here and see how to check and turn off windows firewall - http://support.microsoft.com/kb/283673

I also for a short time shut of comodo and see if you can connect to the internet

don't worry about not having a firewall if anything happens I am here

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gravitron5

gravitron5
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 02 October 2010 - 09:09 AM

Gringo,

I deactivated both firewalls - Comodo & Windows - but I still can't connect.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:20 PM

Posted 02 October 2010 - 04:32 PM

Leave comodo off for now and rerun combofix


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gravitron5

gravitron5
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 02 October 2010 - 10:43 PM

Gringo,

Re-ran Combofix. Twice, actually; mid-way through the first run, I remembered that I could install the Windows Recovery Console from my XP recovery CD, so after Combofix finished running, I installed the Recovery Console, and then ran Combofix again.

Both times, I deactivated Comodo per these instructions:

http://www.bleepingcomputer.com/forums/topic114351.html

...however, for some reason, Combofix still said Comodo was active (see the logs).

I've attached the logs from both Combofix scans (wasn't sure if you wanted the logs posted or attached). "Combofix Log2.txt" was from my first scan (w/o Recovery Console); "Combofix Log3.txt" was my second one (after I installed Recovery Console).

Attached Files



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:20 PM

Posted 02 October 2010 - 10:55 PM

have you been able to connect after running combofix again?

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gravitron5

gravitron5
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 03 October 2010 - 12:06 PM

No; still getting "limited or no connectivity". Should I maybe uninstall Comodo?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users